PCI scan Failing

  • Hello everyone

    I have a wordpress blog setup at
    https://qualityprotectionproducts.com/blog

    Since i accept credit card payment online i have to pass PCI Compliance Test. But my website is failing. I have tried many times but always the scan shows that my version of wordpress is vulnerable

    Below the Error description :-

    Description : The version of WordPress on the remote host does not properly check for administrative credentials in the ‘is_admin()’ function in ‘wp-includes/query.php’. Using a specially-crafted URL that contains the string ‘wp-admin/’, an attacker may be able to leverage this issue to view posts for which the status is classified as ‘future’, ‘draft’, or ‘pending’, which would otherwise be available only to authenticated users. See also : https://www.securityfocus.com/archive/1/4 85160/30/0/threaded https://trac.www.ads-software.com/ticket/5487 Solution: Unknown at this time.

    Please anyone help
    My previous version of wordpress were able to pass the test. Since i have updated wordpress to latest version it is failing.

Viewing 7 replies - 1 through 7 (of 7 total)

  • I am having the same problem. Can anyone offer any sort of solution?

    You could try asking a friendly PCI consultancy for advice; only one I’ve had any joy with is Metasure https://metasure.co.uk and they did want paying (after providing some free advice) but one of their guys was quite knowledgeable about changing the permission schedules…

    syoof

    (@syoof)

    Hi,

    I have the same issue here. I am using WordPress 2.8.6, can someone please advise if this issue is common in this release,and if there were any patches created to reslove it.

    Hi,

    I am having the same issue- Security Metrics is failing my PCI Complaince on our e-commmerce web site. I upgraded our WordPress version to 2.9.2 yesterday. Ran a new SM scan and we are still failing for the same reason:
    Description : The version of WordPress on the remote host does not properly check for administrative credentials in the ‘is_admin()’ function in ‘wp-includes/query.php’. Using a specially-crafted URL that contains the string ‘wp-admin/’, an attacker may be able to leverage this issue to view posts for which the status is classified as ‘future’, ‘draft’, or ‘pending’, which would otherwise be available only to authenticated users. See also : https://www.securityfocus.com/archive/1/4 85160/30/0/threaded https://trac.www.ads-software.com/ticket/5487 Solution: Unknown at this time. Risk Factor: Medium / CVSS Base Score : 4.3 (CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N) BID : 26885 Other references : OSVDB:39518, Secunia:28130 [More]

    Any thoughts on how to fix this would be great!

    Thanks,
    Katrina

    We have the exact same issue – PCI tests failing as above and no idea how to resolve this. We are using version 2.9.2 also

    Please can somebody help?

    Any solution?

    Gotta pass PCI

    Thanks

    I’m researching this issue for a client. Would love to know if anyone has found a solution yet. I suspect it to be something non-WordPress related since I’m using clean URLs but I have seen that I can pass XSS hacks on the URL and they are NOT sanitized.

    See https://technet.microsoft.com/en-us/library/cc512662.aspx for more info

Viewing 7 replies - 1 through 7 (of 7 total)
  • The topic ‘PCI scan Failing’ is closed to new replies.